Smart questions for analyzing virtualization-cloud products

There are many security issues to consider when selecting virtualization cloud products for your organization. Gregory Machler suggest questions to ask when you're examining your choices

There are a variety of popular virtualization-cloud-infrastructure products that enable the virtualization of multiple applications on one server. With so many to consider, and so many questions to ask, let's start with this: What type of infrastructure virtualization product do you look for when you have security in mind?

You want one that has clean virtual machine integration (Infrastructure as a Service) with host intrusion detection software, anti-virus protection and malware protection. Each virtual machine supports the latest protection measures that are normally addressed within servers (Platform as a Service). What security measures should be deployed within the server that runs the supports the multiple virtual machines within its kernel or operating system? This server should execute HIDS (Host Intrusion Detection System), anti-virus protection, and server monitoring software to monitor its uptime and health.

See also: Security for large-company cloud providers

What security-related network features do you want? It would be beneficial to have a network virtualization management layer that integrates within the infrastructure management layer. This network management layer addresses three areas. First, the virtual machines need to support web application load balancing over multiple virtual machines to support high bandwidth web traffic. Secondly, like the quality of service (QoS) functions that exist when requesting bandwidth over the internet backbone, it is beneficial to have allocations of bandwidth for each application running on a virtual machine. Applications split up the network bandwidth dedicated to a given server. Thirdly, the bandwidth rules must be tethered to specific virtual machines even when the virtual machines migrate from one server to another. This bandwidth migration is one portion of the puzzle that is necessary for seamless disaster recovery.

What about storage security concerns? First it would be beneficial to have a storage virtualization management layer that integrates with the infrastructure management layer. This management layer addresses three areas. The first one is the mapping of storage capacity to a specific virtual machine. If a virtual machine nears storage capacity limits, it can allocate more capacity by linking one allocation of cloud storage to the next allocation of cloud storage (like a linked list in software) so that storage can grow as the application needs it.

Secondly, the storage virtualization layer sets the policy for a given applications storage replication, both remote (over 200 miles) and/or local distances. This is a critical component of disaster recovery. Thirdly, the storage virtualization layer defines the policy that gives direction to the virtual machine, helping it reconnect to the allocated cloud storage chain, when migrating to another server locally or to a server in another city.

Why would I want all of this floating storage (tethered)? It promotes simple application business continuity and disaster recovery. If the infrastructure layer with its corresponding virtualized network and tethered storage layers floats anywhere, only the Software as a Service and Platform as a Service layers need to be replicated elsewhere for full application protection.

What about information security within an infrastructure layer? For database applications, data encryption is defined by the database administrator for specific tables or rows. So, this database data is already encrypted within the cloud storage associated with the database. But what about data that is not stored within a database like files or cloud storage blobs. It is beneficial for the storage management layer to apply a storage encryption policy to a given application's cloud storage.

What types of real-world examples do virtualized infrastructure products address? In my current consulting role as a risk assessment consultant, the corporation periodically upgrades their infrastructures. They insert new hardware and upgrade software for platforms (web servers, operating systems, and server hardware) and infrastructure platforms (virtual machines and associated server hardware) beneath the applications. Often-times the network and storage infrastructure has already been upgraded before this occurs. In other words, corporations want their infrastructure layer to be invisible if possible. They want the virtualization infrastructure product to greatly facilitate application growth, inexpensively support existing applications, allocate network and storage resources dynamically, and support disaster recovery.

In summary, corporations want virtual machines to be protected in a similar fashion as current servers are protected. They want the virtualized bandwidth to be carved up and tethered to a given virtual machine. This bandwidth is attached to a given virtual machines unless it needs to failover to another local or remote server. Likewise the storage capacity needs to be mapped to one or more storage subsystems simultaneously so that disaster recovery is supported. The mapped storage capacity also needs to float so that a virtual machine can be migrated to another cloud and the application can continue in real-time. Centralized management of an applications virtual machines, network, and storage capacity enables infrastructure disaster recovery. All of this complexity exists to make the infrastructure appear to be invisible.

New! Download the State of Cybercrime 2017 report